Vulnerabilites related to hallowelt - bluespice
CVE-2022-42000 (GCVE-0-2022-42000)
Vulnerability from cvelistv5
Published
2022-11-15 14:24
Modified
2025-04-28 20:13
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Cross-site Scripting (XSS)
Summary
Cross-site Scripting (XSS) vulnerability in BlueSpiceSocialProfile extension of BlueSpice allows user with comment permissions to inject arbitrary HTML into the comment section of a wikipage.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hallo Welt! GmbH | BlueSpice |
Version: 4 < 4.2.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:56:39.159Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-04"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-42000",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-28T20:13:34.382348Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-28T20:13:51.117Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "BlueSpice",
"vendor": "Hallo Welt! GmbH",
"versions": [
{
"lessThan": "4.2.1",
"status": "affected",
"version": "4",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-11-15T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) vulnerability in BlueSpiceSocialProfile extension of BlueSpice allows user with comment permissions to inject arbitrary HTML into the comment section of a wikipage."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-15T00:00:00.000Z",
"orgId": "ff95705b-1a40-4639-8017-a58fa868baee",
"shortName": "HW"
},
"references": [
{
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-04"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to BlueSpice 4.2.1 or later"
}
],
"source": {
"advisory": "BSSA-2022-04",
"discovery": "INTERNAL"
},
"title": "Potential XSS in comment section",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "ff95705b-1a40-4639-8017-a58fa868baee",
"assignerShortName": "HW",
"cveId": "CVE-2022-42000",
"datePublished": "2022-11-15T14:24:50.697Z",
"dateReserved": "2022-10-07T00:00:00.000Z",
"dateUpdated": "2025-04-28T20:13:51.117Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-41814 (GCVE-0-2022-41814)
Vulnerability from cvelistv5
Published
2022-11-15 14:24
Modified
2025-04-29 19:13
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Cross-site Scripting (XSS)
Summary
Cross-site Scripting (XSS) vulnerability in BlueSpiceFoundation extension of BlueSpice allows user with regular account and edit permissions to inject arbitrary HTML into the history view of a wikipage.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hallo Welt! GmbH | BlueSpice |
Version: 4 < 4.2.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:56:37.991Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-04"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-41814",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-29T19:13:31.891802Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-29T19:13:52.679Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "BlueSpice",
"vendor": "Hallo Welt! GmbH",
"versions": [
{
"lessThan": "4.2.1",
"status": "affected",
"version": "4",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-11-15T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) vulnerability in BlueSpiceFoundation extension of BlueSpice allows user with regular account and edit permissions to inject arbitrary HTML into the history view of a wikipage."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-15T00:00:00.000Z",
"orgId": "ff95705b-1a40-4639-8017-a58fa868baee",
"shortName": "HW"
},
"references": [
{
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-04"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to BlueSpice 4.2.1 or later"
}
],
"source": {
"advisory": "BSSA-2022-04",
"discovery": "INTERNAL"
},
"title": "Potential XSS in history view",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "ff95705b-1a40-4639-8017-a58fa868baee",
"assignerShortName": "HW",
"cveId": "CVE-2022-41814",
"datePublished": "2022-11-15T14:24:50.408Z",
"dateReserved": "2022-10-07T00:00:00.000Z",
"dateUpdated": "2025-04-29T19:13:52.679Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-46703 (GCVE-0-2025-46703)
Vulnerability from cvelistv5
Published
2025-09-19 13:09
Modified
2025-09-19 14:04
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-116 - Improper Encoding or Escaping of Output
Summary
Improper Encoding or Escaping of Output vulnerability in Hallo Welt! GmbH BlueSpice (Extension:AtMentions) allows Cross-Site Scripting (XSS).
This issue affects BlueSpice: from 5 through 5.1.1.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hallo Welt! GmbH | BlueSpice |
Version: 5 ≤ 5.1.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-46703",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-19T14:04:09.185999Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-19T14:04:13.791Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"modules": [
"Extension:AtMentions"
],
"product": "BlueSpice",
"vendor": "Hallo Welt! GmbH",
"versions": [
{
"lessThanOrEqual": "5.1.1",
"status": "affected",
"version": "5",
"versionType": "semver"
}
]
}
],
"datePublic": "2025-09-18T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Encoding or Escaping of Output vulnerability in Hallo Welt! GmbH BlueSpice (Extension:AtMentions) allows Cross-Site Scripting (XSS).\u003cbr\u003e\u003cp\u003eThis issue affects BlueSpice: from 5 through 5.1.1.\u003c/p\u003e"
}
],
"value": "Improper Encoding or Escaping of Output vulnerability in Hallo Welt! GmbH BlueSpice (Extension:AtMentions) allows Cross-Site Scripting (XSS).\nThis issue affects BlueSpice: from 5 through 5.1.1."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116 Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-19T13:09:20.143Z",
"orgId": "ff95705b-1a40-4639-8017-a58fa868baee",
"shortName": "HW"
},
"references": [
{
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2025-05"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Potential XSS in Extension:AtMentions",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "ff95705b-1a40-4639-8017-a58fa868baee",
"assignerShortName": "HW",
"cveId": "CVE-2025-46703",
"datePublished": "2025-09-19T13:09:20.143Z",
"dateReserved": "2025-09-18T12:55:40.967Z",
"dateUpdated": "2025-09-19T14:04:13.791Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-42431 (GCVE-0-2023-42431)
Vulnerability from cvelistv5
Published
2023-10-30 10:48
Modified
2024-09-06 18:06
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
Cross-site Scripting (XSS) vulnerability in BlueSpiceAvatars extension of BlueSpice allows logged in user to inject arbitrary HTML into the profile image dialog on Special:Preferences. This only applies to the genuine user context.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hallo Welt! GmbH | BlueSpice |
Version: 4 Version: 3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:16:51.059Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2023-02"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-42431",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-06T17:46:32.394405Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-06T18:06:33.247Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "BlueSpice",
"vendor": "Hallo Welt! GmbH",
"versions": [
{
"lessThanOrEqual": "4.3.2",
"status": "affected",
"version": "4",
"versionType": "major"
},
{
"lessThanOrEqual": "3.2.10",
"status": "affected",
"version": "3",
"versionType": "major"
}
]
}
],
"datePublic": "2023-10-30T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-site Scripting (XSS) vulnerability in BlueSpiceAvatars extension of BlueSpice allows logged in user to inject arbitrary HTML into the profile image dialog on Special:Preferences. This only applies to the genuine user context."
}
],
"value": "Cross-site Scripting (XSS) vulnerability in BlueSpiceAvatars extension of BlueSpice allows logged in user to inject arbitrary HTML into the profile image dialog on Special:Preferences. This only applies to the genuine user context."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-30T10:50:52.614Z",
"orgId": "ff95705b-1a40-4639-8017-a58fa868baee",
"shortName": "HW"
},
"references": [
{
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2023-02"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Potential XSS on user preferences page",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "ff95705b-1a40-4639-8017-a58fa868baee",
"assignerShortName": "HW",
"cveId": "CVE-2023-42431",
"datePublished": "2023-10-30T10:48:21.487Z",
"dateReserved": "2023-10-16T14:12:02.578Z",
"dateUpdated": "2024-09-06T18:06:33.247Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3893 (GCVE-0-2022-3893)
Vulnerability from cvelistv5
Published
2022-11-15 14:24
Modified
2025-04-29 20:12
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Cross-site Scripting (XSS)
Summary
Cross-site Scripting (XSS) vulnerability in BlueSpiceCustomMenu extension of BlueSpice allows user with admin permissions to inject arbitrary HTML into the custom menu navigation of the application.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hallo Welt! GmbH | BlueSpice |
Version: 4 < 4.2.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:20:58.777Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-06"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-3893",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-29T20:12:31.200455Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-29T20:12:41.873Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "BlueSpice",
"vendor": "Hallo Welt! GmbH",
"versions": [
{
"lessThan": "4.2.1",
"status": "affected",
"version": "4",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-11-15T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) vulnerability in BlueSpiceCustomMenu extension of BlueSpice allows user with admin permissions to inject arbitrary HTML into the custom menu navigation of the application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-15T00:00:00.000Z",
"orgId": "ff95705b-1a40-4639-8017-a58fa868baee",
"shortName": "HW"
},
"references": [
{
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-06"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to BlueSpice 4.2.1 or later"
}
],
"source": {
"advisory": "BSSA-2022-06",
"discovery": "INTERNAL"
},
"title": "Potential XSS on custom menu navigation",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "ff95705b-1a40-4639-8017-a58fa868baee",
"assignerShortName": "HW",
"cveId": "CVE-2022-3893",
"datePublished": "2022-11-15T14:24:48.875Z",
"dateReserved": "2022-11-08T00:00:00.000Z",
"dateUpdated": "2025-04-29T20:12:41.873Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-58114 (GCVE-0-2025-58114)
Vulnerability from cvelistv5
Published
2025-09-19 13:10
Modified
2025-09-19 13:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
Improper Input Validation vulnerability in Hallo Welt! GmbH BlueSpice (Extension:CognitiveProcessDesigner) allows Cross-Site Scripting (XSS).This issue affects BlueSpice: from 5 through 5.1.1.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hallo Welt! GmbH | BlueSpice |
Version: 5 ≤ 5.1.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58114",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-19T13:55:47.848998Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-19T13:55:52.996Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"modules": [
"Extension:CognitiveProcessDesigner"
],
"product": "BlueSpice",
"vendor": "Hallo Welt! GmbH",
"versions": [
{
"lessThanOrEqual": "5.1.1",
"status": "affected",
"version": "5",
"versionType": "semver"
}
]
}
],
"datePublic": "2025-09-18T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Input Validation vulnerability in Hallo Welt! GmbH BlueSpice (Extension:CognitiveProcessDesigner) allows Cross-Site Scripting (XSS).\u003cp\u003eThis issue affects BlueSpice: from 5 through 5.1.1.\u003c/p\u003e"
}
],
"value": "Improper Input Validation vulnerability in Hallo Welt! GmbH BlueSpice (Extension:CognitiveProcessDesigner) allows Cross-Site Scripting (XSS).This issue affects BlueSpice: from 5 through 5.1.1."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-19T13:10:38.231Z",
"orgId": "ff95705b-1a40-4639-8017-a58fa868baee",
"shortName": "HW"
},
"references": [
{
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2025-05"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Potential XSS in Extension:CognitiveProcessDesigner",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "ff95705b-1a40-4639-8017-a58fa868baee",
"assignerShortName": "HW",
"cveId": "CVE-2025-58114",
"datePublished": "2025-09-19T13:10:38.231Z",
"dateReserved": "2025-09-18T12:55:40.990Z",
"dateUpdated": "2025-09-19T13:55:52.996Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3958 (GCVE-0-2022-3958)
Vulnerability from cvelistv5
Published
2022-11-15 14:24
Modified
2025-04-29 20:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Cross-site Scripting (XSS)
Summary
Cross-site Scripting (XSS) vulnerability in BlueSpiceUserSidebar extension of BlueSpice allows user with regular account and edit permissions to inject arbitrary HTML into the personal menu navigation of their own and other users. This allows for targeted attacks.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hallo Welt! GmbH | BlueSpice |
Version: 4 < 4.2.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:27:53.105Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-07"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-3958",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-29T20:09:32.401312Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-29T20:09:39.611Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "BlueSpice",
"vendor": "Hallo Welt! GmbH",
"versions": [
{
"lessThan": "4.2.1",
"status": "affected",
"version": "4",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-11-15T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) vulnerability in BlueSpiceUserSidebar extension of BlueSpice allows user with regular account and edit permissions to inject arbitrary HTML into the personal menu navigation of their own and other users. This allows for targeted attacks."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-15T00:00:00.000Z",
"orgId": "ff95705b-1a40-4639-8017-a58fa868baee",
"shortName": "HW"
},
"references": [
{
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-07"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to BlueSpice 4.2.1 or later"
}
],
"source": {
"advisory": "BSSA-2022-07",
"discovery": "INTERNAL"
},
"title": "Potential XSS on personal menu navigation",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "ff95705b-1a40-4639-8017-a58fa868baee",
"assignerShortName": "HW",
"cveId": "CVE-2022-3958",
"datePublished": "2022-11-15T14:24:49.568Z",
"dateReserved": "2022-11-11T00:00:00.000Z",
"dateUpdated": "2025-04-29T20:09:39.611Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2510 (GCVE-0-2022-2510)
Vulnerability from cvelistv5
Published
2022-07-22 15:57
Modified
2024-09-16 16:38
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Cross-site Scripting (XSS)
Summary
Cross-site Scripting (XSS) vulnerability in "Extension:ExtendedSearch" of Hallo Welt! GmbH BlueSpice allows attacker to inject arbitrary HTML (XSS) on page "Special:SearchCenter", using the search term in the URL.
References
| ▼ | URL | Tags |
|---|---|---|
| https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-01 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hallo Welt! GmbH | BlueSpice |
Version: 4 < 4.1.1 Version: 3 < 3.2.9 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:39:07.999Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-01"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "BlueSpice",
"vendor": "Hallo Welt! GmbH",
"versions": [
{
"lessThan": "4.1.1",
"status": "affected",
"version": "4",
"versionType": "custom"
},
{
"lessThan": "3.2.9",
"status": "affected",
"version": "3",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-01-31T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) vulnerability in \"Extension:ExtendedSearch\" of Hallo Welt! GmbH BlueSpice allows attacker to inject arbitrary HTML (XSS) on page \"Special:SearchCenter\", using the search term in the URL."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-22T15:57:13",
"orgId": "ff95705b-1a40-4639-8017-a58fa868baee",
"shortName": "HW"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-01"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to BlueSpice 3.2.9, 4.1.1 or higher"
}
],
"source": {
"advisory": "BSSA-2022-01",
"discovery": "EXTERNAL"
},
"title": "Potential XSS on Special:SearchCenter",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@bluespice.com",
"DATE_PUBLIC": "2022-01-31T11:00:00.000Z",
"ID": "CVE-2022-2510",
"STATE": "PUBLIC",
"TITLE": "Potential XSS on Special:SearchCenter"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "BlueSpice",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "4",
"version_value": "4.1.1"
},
{
"version_affected": "\u003c",
"version_name": "3",
"version_value": "3.2.9"
}
]
}
}
]
},
"vendor_name": "Hallo Welt! GmbH"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS) vulnerability in \"Extension:ExtendedSearch\" of Hallo Welt! GmbH BlueSpice allows attacker to inject arbitrary HTML (XSS) on page \"Special:SearchCenter\", using the search term in the URL."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-01",
"refsource": "CONFIRM",
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-01"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to BlueSpice 3.2.9, 4.1.1 or higher"
}
],
"source": {
"advisory": "BSSA-2022-01",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ff95705b-1a40-4639-8017-a58fa868baee",
"assignerShortName": "HW",
"cveId": "CVE-2022-2510",
"datePublished": "2022-07-22T15:57:13.504012Z",
"dateReserved": "2022-07-22T00:00:00",
"dateUpdated": "2024-09-16T16:38:23.076Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-42001 (GCVE-0-2022-42001)
Vulnerability from cvelistv5
Published
2022-11-15 14:24
Modified
2025-04-29 15:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Cross-site Scripting (XSS)
Summary
Cross-site Scripting (XSS) vulnerability in BlueSpiceBookshelf extension of BlueSpice allows user with regular account and edit permissions to inject arbitrary HTML into the book navigation.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hallo Welt! GmbH | BlueSpice |
Version: 4 < 4.2.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:56:39.262Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-05"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-42001",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-29T15:50:49.191106Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-29T15:51:06.904Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "BlueSpice",
"vendor": "Hallo Welt! GmbH",
"versions": [
{
"lessThan": "4.2.1",
"status": "affected",
"version": "4",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-11-15T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) vulnerability in BlueSpiceBookshelf extension of BlueSpice allows user with regular account and edit permissions to inject arbitrary HTML into the book navigation."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-15T00:00:00.000Z",
"orgId": "ff95705b-1a40-4639-8017-a58fa868baee",
"shortName": "HW"
},
"references": [
{
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-05"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to BlueSpice 4.2.1 or later"
}
],
"source": {
"advisory": "BSSA-2022-05",
"discovery": "INTERNAL"
},
"title": "Potential XSS in book navigation",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "ff95705b-1a40-4639-8017-a58fa868baee",
"assignerShortName": "HW",
"cveId": "CVE-2022-42001",
"datePublished": "2022-11-15T14:24:50.942Z",
"dateReserved": "2022-10-07T00:00:00.000Z",
"dateUpdated": "2025-04-29T15:51:06.904Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2511 (GCVE-0-2022-2511)
Vulnerability from cvelistv5
Published
2022-07-22 15:56
Modified
2024-09-17 01:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Cross-site Scripting (XSS)
Summary
Cross-site Scripting (XSS) vulnerability in the "commonuserinterface" component of BlueSpice allows an attacker to inject arbitrary HTML into a page using the title parameter of the call URL.
References
| ▼ | URL | Tags |
|---|---|---|
| https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-02 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hallo Welt! GmbH | BlueSpice |
Version: 4 < 4.1.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:39:08.069Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "BlueSpice",
"vendor": "Hallo Welt! GmbH",
"versions": [
{
"lessThan": "4.1.3",
"status": "affected",
"version": "4",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-04-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) vulnerability in the \"commonuserinterface\" component of BlueSpice allows an attacker to inject arbitrary HTML into a page using the title parameter of the call URL."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-22T15:56:23",
"orgId": "ff95705b-1a40-4639-8017-a58fa868baee",
"shortName": "HW"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-02"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to BlueSpice 4.1.3 or later"
}
],
"source": {
"advisory": "BSSA-2022-02",
"discovery": "EXTERNAL"
},
"title": "Potential XSS in title URL parameter",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@bluespice.com",
"DATE_PUBLIC": "2022-04-25T10:00:00.000Z",
"ID": "CVE-2022-2511",
"STATE": "PUBLIC",
"TITLE": "Potential XSS in title URL parameter"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "BlueSpice",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "4",
"version_value": "4.1.3"
}
]
}
}
]
},
"vendor_name": "Hallo Welt! GmbH"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS) vulnerability in the \"commonuserinterface\" component of BlueSpice allows an attacker to inject arbitrary HTML into a page using the title parameter of the call URL."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-02",
"refsource": "CONFIRM",
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-02"
}
]
},
"solution": [
{
"lang": "en",
"value": "Upgrade to BlueSpice 4.1.3 or later"
}
],
"source": {
"advisory": "BSSA-2022-02",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ff95705b-1a40-4639-8017-a58fa868baee",
"assignerShortName": "HW",
"cveId": "CVE-2022-2511",
"datePublished": "2022-07-22T15:56:23.016618Z",
"dateReserved": "2022-07-22T00:00:00",
"dateUpdated": "2024-09-17T01:56:03.334Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3895 (GCVE-0-2022-3895)
Vulnerability from cvelistv5
Published
2022-11-15 14:24
Modified
2025-04-29 18:12
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Cross-site Scripting (XSS)
Summary
Some UI elements of the Common User Interface Component are not properly sanitizing output and therefore prone to output arbitrary HTML (XSS).
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hallo Welt! GmbH | Common User Interface Component |
Version: 3 < 3.0.5 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:20:58.454Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-08"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-3895",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-29T18:11:00.732213Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-29T18:12:08.089Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Common User Interface Component",
"vendor": "Hallo Welt! GmbH",
"versions": [
{
"lessThan": "3.0.5",
"status": "affected",
"version": "3",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-11-15T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Some UI elements of the Common User Interface Component are not properly sanitizing output and therefore prone to output arbitrary HTML (XSS)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-15T00:00:00.000Z",
"orgId": "ff95705b-1a40-4639-8017-a58fa868baee",
"shortName": "HW"
},
"references": [
{
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-08"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to Common User Interface 3.0.5 or later. This is included in BlueSpice 4.2.1 or later."
}
],
"source": {
"advisory": "BSSA-2022-08",
"discovery": "INTERNAL"
},
"title": "Potential XSS in common user interface component library",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "ff95705b-1a40-4639-8017-a58fa868baee",
"assignerShortName": "HW",
"cveId": "CVE-2022-3895",
"datePublished": "2022-11-15T14:24:49.235Z",
"dateReserved": "2022-11-08T00:00:00.000Z",
"dateUpdated": "2025-04-29T18:12:08.089Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-41611 (GCVE-0-2022-41611)
Vulnerability from cvelistv5
Published
2022-11-15 14:24
Modified
2025-04-29 20:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Cross-site Scripting (XSS)
Summary
Cross-site Scripting (XSS) vulnerability in BlueSpiceDiscovery skin of BlueSpice allows user with admin privileges to inject arbitrary HTML into the main navigation of the application.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hallo Welt! GmbH | BlueSpice |
Version: 4 < 4.2.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:49:43.430Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-03"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-41611",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-29T20:09:09.513696Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-29T20:09:18.561Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "BlueSpice",
"vendor": "Hallo Welt! GmbH",
"versions": [
{
"lessThan": "4.2.1",
"status": "affected",
"version": "4",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-11-15T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) vulnerability in BlueSpiceDiscovery skin of BlueSpice allows user with admin privileges to inject arbitrary HTML into the main navigation of the application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-15T00:00:00.000Z",
"orgId": "ff95705b-1a40-4639-8017-a58fa868baee",
"shortName": "HW"
},
"references": [
{
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-03"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to BlueSpice 4.2.1 or later"
}
],
"source": {
"advisory": "BSSA-2022-03",
"discovery": "INTERNAL"
},
"title": "Potential XSS on sidebar navigation",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "ff95705b-1a40-4639-8017-a58fa868baee",
"assignerShortName": "HW",
"cveId": "CVE-2022-41611",
"datePublished": "2022-11-15T14:24:49.902Z",
"dateReserved": "2022-10-07T00:00:00.000Z",
"dateUpdated": "2025-04-29T20:09:18.561Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-41789 (GCVE-0-2022-41789)
Vulnerability from cvelistv5
Published
2022-11-15 14:24
Modified
2025-04-29 20:08
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Cross-site Scripting (XSS)
Summary
Cross-site Scripting (XSS) vulnerability in BlueSpiceDiscovery skin of BlueSpice allows logged in user with edit permissions to inject arbitrary HTML into the default page header of a wikipage.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hallo Welt! GmbH | BlueSpice |
Version: 4 < 4.2.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:49:43.793Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-04"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-41789",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-29T20:08:50.836561Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-29T20:08:57.304Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "BlueSpice",
"vendor": "Hallo Welt! GmbH",
"versions": [
{
"lessThan": "4.2.1",
"status": "affected",
"version": "4",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-11-15T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) vulnerability in BlueSpiceDiscovery skin of BlueSpice allows logged in user with edit permissions to inject arbitrary HTML into the default page header of a wikipage."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-15T00:00:00.000Z",
"orgId": "ff95705b-1a40-4639-8017-a58fa868baee",
"shortName": "HW"
},
"references": [
{
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-04"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to BlueSpice 4.2.1 or later"
}
],
"source": {
"advisory": "BSSA-2022-04",
"discovery": "INTERNAL"
},
"title": "Potential XSS on default page header",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "ff95705b-1a40-4639-8017-a58fa868baee",
"assignerShortName": "HW",
"cveId": "CVE-2022-41789",
"datePublished": "2022-11-15T14:24:50.166Z",
"dateReserved": "2022-10-07T00:00:00.000Z",
"dateUpdated": "2025-04-29T20:08:57.304Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-48007 (GCVE-0-2025-48007)
Vulnerability from cvelistv5
Published
2025-09-19 13:09
Modified
2025-09-19 14:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-116 - Improper Encoding or Escaping of Output
Summary
Improper Encoding or Escaping of Output vulnerability in Hallo Welt! GmbH BlueSpice (Extension:BlueSpiceAvatars) allows Cross-Site Scripting (XSS).
This issue affects BlueSpice: from 5 through 5.1.1.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hallo Welt! GmbH | BlueSpice |
Version: 5 ≤ 5.1.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48007",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-19T14:03:47.417130Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-19T14:03:52.710Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"modules": [
"Extension:BlueSpiceAvatars"
],
"product": "BlueSpice",
"vendor": "Hallo Welt! GmbH",
"versions": [
{
"lessThanOrEqual": "5.1.1",
"status": "affected",
"version": "5",
"versionType": "semver"
}
]
}
],
"datePublic": "2025-09-18T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Encoding or Escaping of Output vulnerability in Hallo Welt! GmbH BlueSpice (Extension:BlueSpiceAvatars) allows Cross-Site Scripting (XSS).\u003cbr\u003e\u003cp\u003eThis issue affects BlueSpice: from 5 through 5.1.1.\u003c/p\u003e"
}
],
"value": "Improper Encoding or Escaping of Output vulnerability in Hallo Welt! GmbH BlueSpice (Extension:BlueSpiceAvatars) allows Cross-Site Scripting (XSS).\nThis issue affects BlueSpice: from 5 through 5.1.1."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116 Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-19T13:09:47.243Z",
"orgId": "ff95705b-1a40-4639-8017-a58fa868baee",
"shortName": "HW"
},
"references": [
{
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2025-05"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Potential XSS in Extension:BlueSpiceAvatars",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "ff95705b-1a40-4639-8017-a58fa868baee",
"assignerShortName": "HW",
"cveId": "CVE-2025-48007",
"datePublished": "2025-09-19T13:09:47.243Z",
"dateReserved": "2025-09-18T12:55:40.980Z",
"dateUpdated": "2025-09-19T14:03:52.710Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-57880 (GCVE-0-2025-57880)
Vulnerability from cvelistv5
Published
2025-09-19 13:10
Modified
2025-09-19 13:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-116 - Improper Encoding or Escaping of Output
Summary
Improper Encoding or Escaping of Output vulnerability in Hallo Welt! GmbH BlueSpice (Extension:BlueSpiceWhoIsOnline) allows Cross-Site Scripting (XSS).
This issue affects BlueSpice: from 5 through 5.1.1.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hallo Welt! GmbH | BlueSpice |
Version: 5 ≤ 5.1.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-57880",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-19T13:56:28.180417Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-19T13:56:35.076Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"modules": [
"Extension:BlueSpiceWhoIsOnline"
],
"product": "BlueSpice",
"vendor": "Hallo Welt! GmbH",
"versions": [
{
"lessThanOrEqual": "5.1.1",
"status": "affected",
"version": "5",
"versionType": "semver"
}
]
}
],
"datePublic": "2025-09-18T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Encoding or Escaping of Output vulnerability in Hallo Welt! GmbH BlueSpice (Extension:BlueSpiceWhoIsOnline) allows Cross-Site Scripting (XSS).\u003cbr\u003e\u003cp\u003eThis issue affects BlueSpice: from 5 through 5.1.1.\u003c/p\u003e"
}
],
"value": "Improper Encoding or Escaping of Output vulnerability in Hallo Welt! GmbH BlueSpice (Extension:BlueSpiceWhoIsOnline) allows Cross-Site Scripting (XSS).\nThis issue affects BlueSpice: from 5 through 5.1.1."
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116 Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-19T13:10:12.916Z",
"orgId": "ff95705b-1a40-4639-8017-a58fa868baee",
"shortName": "HW"
},
"references": [
{
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2025-05"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Potential XSS in Extension:BlueSpiceWhoIsOnline",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "ff95705b-1a40-4639-8017-a58fa868baee",
"assignerShortName": "HW",
"cveId": "CVE-2025-57880",
"datePublished": "2025-09-19T13:10:12.916Z",
"dateReserved": "2025-09-18T12:55:41.004Z",
"dateUpdated": "2025-09-19T13:56:35.076Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2022-11-15 15:15
Modified
2024-11-21 07:24
Severity ?
3.3 (Low) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Cross-site Scripting (XSS) vulnerability in BlueSpiceSocialProfile extension of BlueSpice allows user with comment permissions to inject arbitrary HTML into the comment section of a wikipage.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:hallowelt:bluespice:*:*:*:*:*:*:*:*",
"matchCriteriaId": "696F93D5-AB35-4EA3-AEDB-9C868E94ED6D",
"versionEndExcluding": "4.2.1",
"versionStartIncluding": "4.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) vulnerability in BlueSpiceSocialProfile extension of BlueSpice allows user with comment permissions to inject arbitrary HTML into the comment section of a wikipage."
},
{
"lang": "es",
"value": "Vulnerabilidad de Cross-Site Scripting (XSS) en la extensi\u00f3n BlueSpiceSocialProfile de BlueSpice permite al usuario con permisos de comentarios inyectar HTML arbitrario en la secci\u00f3n de comentarios de una p\u00e1gina wiki."
}
],
"id": "CVE-2022-42000",
"lastModified": "2024-11-21T07:24:14.683",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 1.4,
"source": "security@bluespice.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-11-15T15:15:17.220",
"references": [
{
"source": "security@bluespice.com",
"tags": [
"Vendor Advisory"
],
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-04"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-04"
}
],
"sourceIdentifier": "security@bluespice.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@bluespice.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-11-15 15:15
Modified
2024-11-21 07:20
Severity ?
3.3 (Low) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Cross-site Scripting (XSS) vulnerability in BlueSpiceUserSidebar extension of BlueSpice allows user with regular account and edit permissions to inject arbitrary HTML into the personal menu navigation of their own and other users. This allows for targeted attacks.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:hallowelt:bluespice:*:*:*:*:*:*:*:*",
"matchCriteriaId": "696F93D5-AB35-4EA3-AEDB-9C868E94ED6D",
"versionEndExcluding": "4.2.1",
"versionStartIncluding": "4.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) vulnerability in BlueSpiceUserSidebar extension of BlueSpice allows user with regular account and edit permissions to inject arbitrary HTML into the personal menu navigation of their own and other users. This allows for targeted attacks."
},
{
"lang": "es",
"value": "Vulnerabilidad de Cross-Site Scripting (XSS) en la extensi\u00f3n BlueSpiceUserSidebar de BlueSpice permite a los usuarios con cuenta normal y permisos de edici\u00f3n inyectar HTML arbitrario en el men\u00fa de navegaci\u00f3n personal de sus propios usuarios y de otros usuarios. Esto permite ataques dirigidos."
}
],
"id": "CVE-2022-3958",
"lastModified": "2024-11-21T07:20:36.960",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 1.4,
"source": "security@bluespice.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-11-15T15:15:13.057",
"references": [
{
"source": "security@bluespice.com",
"tags": [
"Vendor Advisory"
],
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-07"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-07"
}
],
"sourceIdentifier": "security@bluespice.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@bluespice.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-10-30 11:15
Modified
2024-11-21 08:22
Severity ?
2.1 (Low) - CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Cross-site Scripting (XSS) vulnerability in BlueSpiceAvatars extension of BlueSpice allows logged in user to inject arbitrary HTML into the profile image dialog on Special:Preferences. This only applies to the genuine user context.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@bluespice.com | https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2023-02 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2023-02 | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:hallowelt:bluespice:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BF1F2433-46DE-4702-8E7F-86EDC716AA5B",
"versionEndExcluding": "3.2.10.1",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:hallowelt:bluespice:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FFF74443-3D2C-489C-803F-3FA8F09FBE0A",
"versionEndExcluding": "4.3.3",
"versionStartIncluding": "4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) vulnerability in BlueSpiceAvatars extension of BlueSpice allows logged in user to inject arbitrary HTML into the profile image dialog on Special:Preferences. This only applies to the genuine user context."
},
{
"lang": "es",
"value": "Vulnerabilidad de Cross-Site Scripting (XSS) en la extensi\u00f3n BlueSpiceAvatars de BlueSpice permite al usuario que ha iniciado sesi\u00f3n inyectar HTML arbitrario en el cuadro de di\u00e1logo de la imagen de perfil en Especial:Preferencias. Esto s\u00f3lo se aplica al contexto del usuario genuino."
}
],
"id": "CVE-2023-42431",
"lastModified": "2024-11-21T08:22:31.247",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.7,
"impactScore": 1.4,
"source": "security@bluespice.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-10-30T11:15:39.267",
"references": [
{
"source": "security@bluespice.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2023-02"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2023-02"
}
],
"sourceIdentifier": "security@bluespice.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "security@bluespice.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-11-15 15:15
Modified
2024-11-21 07:23
Severity ?
3.3 (Low) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Cross-site Scripting (XSS) vulnerability in BlueSpiceDiscovery skin of BlueSpice allows logged in user with edit permissions to inject arbitrary HTML into the default page header of a wikipage.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:hallowelt:bluespice:*:*:*:*:*:*:*:*",
"matchCriteriaId": "696F93D5-AB35-4EA3-AEDB-9C868E94ED6D",
"versionEndExcluding": "4.2.1",
"versionStartIncluding": "4.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) vulnerability in BlueSpiceDiscovery skin of BlueSpice allows logged in user with edit permissions to inject arbitrary HTML into the default page header of a wikipage."
},
{
"lang": "es",
"value": "Vulnerabilidad de Cross-Site Scripting (XSS) en BlueSpiceDiscovery skin de BlueSpice permite que un usuario que haya iniciado sesi\u00f3n con permisos de edici\u00f3n inyecte HTML arbitrario en el encabezado de p\u00e1gina predeterminado de una p\u00e1gina wiki."
}
],
"id": "CVE-2022-41789",
"lastModified": "2024-11-21T07:23:50.913",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 1.4,
"source": "security@bluespice.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-11-15T15:15:14.957",
"references": [
{
"source": "security@bluespice.com",
"tags": [
"Vendor Advisory"
],
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-04"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-04"
}
],
"sourceIdentifier": "security@bluespice.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@bluespice.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-07-22 16:15
Modified
2024-11-21 07:01
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Cross-site Scripting (XSS) vulnerability in "Extension:ExtendedSearch" of Hallo Welt! GmbH BlueSpice allows attacker to inject arbitrary HTML (XSS) on page "Special:SearchCenter", using the search term in the URL.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:hallowelt:bluespice:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6B63A87C-2396-4485-A5AB-4E489B1F91C8",
"versionEndExcluding": "3.2.9",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:hallowelt:bluespice:4.1.0:-:*:*:*:*:*:*",
"matchCriteriaId": "66D81BBC-94D2-4EF6-94CC-DEB5FF3E1479",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:hallowelt:bluespice:4.1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "EC6591A2-08BD-46F4-8709-947AF439C2BA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) vulnerability in \"Extension:ExtendedSearch\" of Hallo Welt! GmbH BlueSpice allows attacker to inject arbitrary HTML (XSS) on page \"Special:SearchCenter\", using the search term in the URL."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo Cross-site Scripting (XSS) en \"Extension:ExtendedSearch\" de Hallo Welt! GmbH BlueSpice permite a un atacante inyectar HTML arbitrario (XSS) en la p\u00e1gina \"Special:SearchCenter\", usando el t\u00e9rmino de b\u00fasqueda en la URL"
}
],
"id": "CVE-2022-2510",
"lastModified": "2024-11-21T07:01:08.623",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "security@bluespice.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-07-22T16:15:08.297",
"references": [
{
"source": "security@bluespice.com",
"tags": [
"Vendor Advisory"
],
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-01"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-01"
}
],
"sourceIdentifier": "security@bluespice.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@bluespice.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-11-15 15:15
Modified
2024-11-21 07:20
Severity ?
4.0 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Some UI elements of the Common User Interface Component are not properly sanitizing output and therefore prone to output arbitrary HTML (XSS).
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| hallowelt | bluespice | * | |
| hallowelt | common_user_interface | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:hallowelt:bluespice:*:*:*:*:*:*:*:*",
"matchCriteriaId": "696F93D5-AB35-4EA3-AEDB-9C868E94ED6D",
"versionEndExcluding": "4.2.1",
"versionStartIncluding": "4.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:hallowelt:common_user_interface:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0CDC405B-9837-4BCD-80EA-8CCE45E1B223",
"versionEndExcluding": "3.0.5",
"versionStartIncluding": "3.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Some UI elements of the Common User Interface Component are not properly sanitizing output and therefore prone to output arbitrary HTML (XSS)."
},
{
"lang": "es",
"value": "Algunos elementos de la interfaz de usuario del componente de interfaz de usuario com\u00fan no sanitizan adecuadamente la salida y, por lo tanto, son propensos a generar HTML arbitrario (XSS)."
}
],
"id": "CVE-2022-3895",
"lastModified": "2024-11-21T07:20:29.067",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.5,
"impactScore": 1.4,
"source": "security@bluespice.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-11-15T15:15:12.167",
"references": [
{
"source": "security@bluespice.com",
"tags": [
"Vendor Advisory"
],
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-08"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-08"
}
],
"sourceIdentifier": "security@bluespice.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@bluespice.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-11-15 15:15
Modified
2024-11-21 07:23
Severity ?
3.3 (Low) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Cross-site Scripting (XSS) vulnerability in BlueSpiceFoundation extension of BlueSpice allows user with regular account and edit permissions to inject arbitrary HTML into the history view of a wikipage.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:hallowelt:bluespice:*:*:*:*:*:*:*:*",
"matchCriteriaId": "696F93D5-AB35-4EA3-AEDB-9C868E94ED6D",
"versionEndExcluding": "4.2.1",
"versionStartIncluding": "4.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) vulnerability in BlueSpiceFoundation extension of BlueSpice allows user with regular account and edit permissions to inject arbitrary HTML into the history view of a wikipage."
},
{
"lang": "es",
"value": "Una vulnerabilidad de Cross-Site Scripting (XSS) en la extensi\u00f3n BlueSpiceFoundation de BlueSpice permite a un usuario con cuenta normal y permisos de edici\u00f3n inyectar HTML arbitrario en la vista del historial de una p\u00e1gina wiki."
}
],
"id": "CVE-2022-41814",
"lastModified": "2024-11-21T07:23:53.390",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 1.4,
"source": "security@bluespice.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-11-15T15:15:16.007",
"references": [
{
"source": "security@bluespice.com",
"tags": [
"Vendor Advisory"
],
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-04"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-04"
}
],
"sourceIdentifier": "security@bluespice.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@bluespice.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-09-19 14:15
Modified
2025-09-22 16:21
Severity ?
Summary
Improper Input Validation vulnerability in Hallo Welt! GmbH BlueSpice (Extension:CognitiveProcessDesigner) allows Cross-Site Scripting (XSS).This issue affects BlueSpice: from 5 through 5.1.1.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:hallowelt:bluespice:*:*:*:*:*:*:*:*",
"matchCriteriaId": "178986E6-095B-40A9-BC2E-A182AE8E9979",
"versionEndExcluding": "5.1.2",
"versionStartIncluding": "5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Input Validation vulnerability in Hallo Welt! GmbH BlueSpice (Extension:CognitiveProcessDesigner) allows Cross-Site Scripting (XSS).This issue affects BlueSpice: from 5 through 5.1.1."
}
],
"id": "CVE-2025-58114",
"lastModified": "2025-09-22T16:21:52.940",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security@bluespice.com",
"type": "Secondary"
}
]
},
"published": "2025-09-19T14:15:50.147",
"references": [
{
"source": "security@bluespice.com",
"tags": [
"Vendor Advisory"
],
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2025-05"
}
],
"sourceIdentifier": "security@bluespice.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "security@bluespice.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-07-22 16:15
Modified
2024-11-21 07:01
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Cross-site Scripting (XSS) vulnerability in the "commonuserinterface" component of BlueSpice allows an attacker to inject arbitrary HTML into a page using the title parameter of the call URL.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:hallowelt:bluespice:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4D6E99FA-9471-4CD4-BF82-939EB3A35572",
"versionEndExcluding": "4.1.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) vulnerability in the \"commonuserinterface\" component of BlueSpice allows an attacker to inject arbitrary HTML into a page using the title parameter of the call URL."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo Cross-site Scripting (XSS) en el componente \"commonuserinterface\" de BlueSpice permite a un atacante inyectar HTML arbitrario en una p\u00e1gina usando el par\u00e1metro title de la URL de llamada"
}
],
"id": "CVE-2022-2511",
"lastModified": "2024-11-21T07:01:08.747",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "security@bluespice.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-07-22T16:15:08.367",
"references": [
{
"source": "security@bluespice.com",
"tags": [
"Vendor Advisory"
],
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-02"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-02"
}
],
"sourceIdentifier": "security@bluespice.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@bluespice.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-11-15 15:15
Modified
2024-11-21 07:20
Severity ?
2.3 (Low) - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Summary
Cross-site Scripting (XSS) vulnerability in BlueSpiceCustomMenu extension of BlueSpice allows user with admin permissions to inject arbitrary HTML into the custom menu navigation of the application.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:hallowelt:bluespice:*:*:*:*:*:*:*:*",
"matchCriteriaId": "696F93D5-AB35-4EA3-AEDB-9C868E94ED6D",
"versionEndExcluding": "4.2.1",
"versionStartIncluding": "4.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) vulnerability in BlueSpiceCustomMenu extension of BlueSpice allows user with admin permissions to inject arbitrary HTML into the custom menu navigation of the application."
},
{
"lang": "es",
"value": "Vulnerabilidad de Cross-Site Scripting (XSS) en la extensi\u00f3n BlueSpiceCustomMenu de BlueSpice permite al usuario con permisos de administrador inyectar HTML arbitrario en el men\u00fa de navegaci\u00f3n personalizado de la aplicaci\u00f3n."
}
],
"id": "CVE-2022-3893",
"lastModified": "2024-11-21T07:20:27.953",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.8,
"impactScore": 1.4,
"source": "security@bluespice.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-11-15T15:15:10.813",
"references": [
{
"source": "security@bluespice.com",
"tags": [
"Vendor Advisory"
],
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-06"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-06"
}
],
"sourceIdentifier": "security@bluespice.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@bluespice.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-09-19 14:15
Modified
2025-09-22 16:21
Severity ?
Summary
Improper Encoding or Escaping of Output vulnerability in Hallo Welt! GmbH BlueSpice (Extension:BlueSpiceWhoIsOnline) allows Cross-Site Scripting (XSS).
This issue affects BlueSpice: from 5 through 5.1.1.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:hallowelt:bluespice:*:*:*:*:*:*:*:*",
"matchCriteriaId": "178986E6-095B-40A9-BC2E-A182AE8E9979",
"versionEndExcluding": "5.1.2",
"versionStartIncluding": "5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Encoding or Escaping of Output vulnerability in Hallo Welt! GmbH BlueSpice (Extension:BlueSpiceWhoIsOnline) allows Cross-Site Scripting (XSS).\nThis issue affects BlueSpice: from 5 through 5.1.1."
}
],
"id": "CVE-2025-57880",
"lastModified": "2025-09-22T16:21:50.223",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security@bluespice.com",
"type": "Secondary"
}
]
},
"published": "2025-09-19T14:15:48.983",
"references": [
{
"source": "security@bluespice.com",
"tags": [
"Vendor Advisory"
],
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2025-05"
}
],
"sourceIdentifier": "security@bluespice.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-116"
}
],
"source": "security@bluespice.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-09-19 14:15
Modified
2025-09-22 16:21
Severity ?
Summary
Improper Encoding or Escaping of Output vulnerability in Hallo Welt! GmbH BlueSpice (Extension:AtMentions) allows Cross-Site Scripting (XSS).
This issue affects BlueSpice: from 5 through 5.1.1.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:hallowelt:bluespice:*:*:*:*:*:*:*:*",
"matchCriteriaId": "178986E6-095B-40A9-BC2E-A182AE8E9979",
"versionEndExcluding": "5.1.2",
"versionStartIncluding": "5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Encoding or Escaping of Output vulnerability in Hallo Welt! GmbH BlueSpice (Extension:AtMentions) allows Cross-Site Scripting (XSS).\nThis issue affects BlueSpice: from 5 through 5.1.1."
}
],
"id": "CVE-2025-46703",
"lastModified": "2025-09-22T16:21:56.270",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security@bluespice.com",
"type": "Secondary"
}
]
},
"published": "2025-09-19T14:15:45.050",
"references": [
{
"source": "security@bluespice.com",
"tags": [
"Vendor Advisory"
],
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2025-05"
}
],
"sourceIdentifier": "security@bluespice.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-116"
}
],
"source": "security@bluespice.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-09-19 14:15
Modified
2025-09-22 16:21
Severity ?
Summary
Improper Encoding or Escaping of Output vulnerability in Hallo Welt! GmbH BlueSpice (Extension:BlueSpiceAvatars) allows Cross-Site Scripting (XSS).
This issue affects BlueSpice: from 5 through 5.1.1.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:hallowelt:bluespice:*:*:*:*:*:*:*:*",
"matchCriteriaId": "178986E6-095B-40A9-BC2E-A182AE8E9979",
"versionEndExcluding": "5.1.2",
"versionStartIncluding": "5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Encoding or Escaping of Output vulnerability in Hallo Welt! GmbH BlueSpice (Extension:BlueSpiceAvatars) allows Cross-Site Scripting (XSS).\nThis issue affects BlueSpice: from 5 through 5.1.1."
}
],
"id": "CVE-2025-48007",
"lastModified": "2025-09-22T16:21:58.673",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security@bluespice.com",
"type": "Secondary"
}
]
},
"published": "2025-09-19T14:15:45.203",
"references": [
{
"source": "security@bluespice.com",
"tags": [
"Vendor Advisory"
],
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2025-05"
}
],
"sourceIdentifier": "security@bluespice.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-116"
}
],
"source": "security@bluespice.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-11-15 15:15
Modified
2024-11-21 07:24
Severity ?
3.3 (Low) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Cross-site Scripting (XSS) vulnerability in BlueSpiceBookshelf extension of BlueSpice allows user with regular account and edit permissions to inject arbitrary HTML into the book navigation.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:hallowelt:bluespice:*:*:*:*:*:*:*:*",
"matchCriteriaId": "696F93D5-AB35-4EA3-AEDB-9C868E94ED6D",
"versionEndExcluding": "4.2.1",
"versionStartIncluding": "4.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) vulnerability in BlueSpiceBookshelf extension of BlueSpice allows user with regular account and edit permissions to inject arbitrary HTML into the book navigation."
},
{
"lang": "es",
"value": "Una vulnerabilidad de Cross-Site Scripting (XSS) en la extensi\u00f3n BlueSpiceBookshelf de BlueSpice permite a los usuarios con una cuenta normal y permisos de edici\u00f3n inyectar HTML arbitrario en la navegaci\u00f3n del libro."
}
],
"id": "CVE-2022-42001",
"lastModified": "2024-11-21T07:24:14.807",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 1.4,
"source": "security@bluespice.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-11-15T15:15:18.243",
"references": [
{
"source": "security@bluespice.com",
"tags": [
"Vendor Advisory"
],
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-05"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-05"
}
],
"sourceIdentifier": "security@bluespice.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@bluespice.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-11-15 15:15
Modified
2024-11-21 07:23
Severity ?
2.3 (Low) - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Summary
Cross-site Scripting (XSS) vulnerability in BlueSpiceDiscovery skin of BlueSpice allows user with admin privileges to inject arbitrary HTML into the main navigation of the application.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:hallowelt:bluespice:*:*:*:*:*:*:*:*",
"matchCriteriaId": "696F93D5-AB35-4EA3-AEDB-9C868E94ED6D",
"versionEndExcluding": "4.2.1",
"versionStartIncluding": "4.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) vulnerability in BlueSpiceDiscovery skin of BlueSpice allows user with admin privileges to inject arbitrary HTML into the main navigation of the application."
},
{
"lang": "es",
"value": "Vulnerabilidad de Cross-Site Scripting (XSS) en BlueSpiceDiscovery skin de BlueSpice permite al usuario con privilegios de administrador inyectar HTML arbitrario en la navegaci\u00f3n principal de la aplicaci\u00f3n."
}
],
"id": "CVE-2022-41611",
"lastModified": "2024-11-21T07:23:29.430",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.8,
"impactScore": 1.4,
"source": "security@bluespice.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-11-15T15:15:14.117",
"references": [
{
"source": "security@bluespice.com",
"tags": [
"Vendor Advisory"
],
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-03"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2022-03"
}
],
"sourceIdentifier": "security@bluespice.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@bluespice.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}